New Solaris ACL Model

Previous versions of the Solaris OS supported an ACL implementation
that was primarily based on the POSIX-draft ACL specification. The POSIX-draft
based ACLs are used to protect UFS files and are translated by versions of
NFS prior to NFSv4.

With the introduction of NFSv4, a new ACL model fully supports the interoperability
that NFSv4 offers between UNIX and non-UNIX clients. The new ACL implementation,
as defined in the NFSv4 specification, provides much richer semantics that
are based on NT-style ACLs.

The main differences of the new ACL model follow:

The new ACL model is based on the NFSv4 specification and
is similar to NT-style ACLs.

The new model provides a much more granular set of access
privileges. For more information, see Table 8–2.

ACLs are set and displayed with the chmod and ls commands rather than the setfacl and getfacl commands.

The new model provides richer inheritance semantics for designating
how access privileges are applied from a directory to subdirectories, and
so on. For more information, see ACL Inheritance.

Both ACL models provide more fine-grained access control than is available
with the standard file permissions. Much like POSIX-draft ACLs, the new ACLs
are composed of multiple Access Control Entries (ACEs).

POSIX-draft based ACLs use a single entry to define which permissions
are allowed and which permissions are denied. The new ACL model has two types
of ACEs that affect access checking: ALLOW and DENY.
As such, you cannot infer from any single ACE that defines a set of permissions
whether the permissions that weren't defined in that ACE are allowed or denied.

Translation between NFSv4 ACLs and POSIX-draft ACLs is as follows:

If you use an ACL-aware utility, such as the cp, mv, tar, cpio, or rcp command,
to transfer UFS files with ACLs to a ZFS file system, the POSIX-draft ACLs
are translated into the equivalent NFSv4 ACLs.

Some NFSv4 ACLs are translated into POSIX-draft ACLs. You
see a message similar to the following if an NFSv4 ACL isn't translated into
a POSIX-draft ACL:

If you create a UFS tar or cpio archive
with the preserve ACL option (tar-p or cpio-P) on a system that runs a current Solaris
release, you will lose the ACLs when the archive is extracted on a system
that runs a previous Solaris release.

All of the files are extracted
with the correct file modes, but the ACL entries are ignored.

You can use the ufsrestore command to restore
data into a ZFS file system. If the original data includes POSIX-draft ACLs,
they are translated into to NFSv4 ACLs.

If you attempt to set an NFSv4 ACL on a UFS file, you see
a message similar to the following:

chmod: ERROR: ACL type's are different

If you attempt to set a POSIX-draft ACL on a ZFS file, you
see messages similar to the following:

# getfacl filea
File system doesn't support aclent_t style ACL's.
See acl(5) for more information on Solaris ACL support.

Identifies the ACL-entry-type for trivial
ACL syntax. For a description of ACL entry types, see Table 8–1.

user or group:ACL-entry-ID=username or groupname

Identifies the ACL-entry-type for explicit
ACL syntax. The user and groupACL-entry-type must also contain the ACL-entry-ID, username or groupname. For a description of ACL entry
types, see Table 8–1.

access-permissions/.../

Identifies the access permissions that are granted or denied.
For a description of ACL access privileges, see Table 8–2.

inheritance-flags

Identifies an optional list of ACL inheritance flags. For
a description of the ACL inheritance flags, see Table 8–3.

deny | allow

Identifies whether the access permissions are granted or denied.

In the following example, the ACL-entry-ID value
is not relevant:

group@:write_data/append_data/execute:deny

The following example includes an ACL-entry-ID because
a specific user (ACL-entry-type) is included in the ACL.

0:user:gozer:list_directory/read_data/execute:allow

When an ACL entry is displayed, it looks similar to the following:

2:group@:write_data/append_data/execute:deny

In this example, the 2, known as
the index-ID designation, identifies the ACL entry in
the larger ACL, which might have multiple entries for owner, specific UIDs,
group, and everyone. You can specify the index-ID with
the chmod command to identify which part of the ACL you
want to modify. For example, you can identify index ID 3 as A3 in
the chmod command syntax, similar to the following:

chmod A3=user:venkman:read_acl:allow filename

ACL entry types, which are the ACL representations of owner, group,
and other, are described in the following table.

Table 8–1 ACL Entry Types

ACL Entry Type

Description

owner@

Specifies the access granted to the owner of the object.

group@

Specifies the access granted to the owning group of the object.

everyone@

Specifies the access granted to any user or group that does not match
any other ACL entry.

user

With a user name, specifies the access granted to an additional user
of the object. This entry must include the ACL-entry-ID,
which contains a username or userID.
If the value is not a valid numeric UID or username,
the ACL entry type is invalid.

group

With a group name, specifies the access granted to an additional group
of the object. This entry must include the ACL-entry-ID,
which contains a groupname or groupID.
If the value is not a valid numeric GID or groupname,
the ACL entry type is invalid.

ACL access privileges are described in the following table.

Table 8–2 ACL Access Privileges

Access Privilege

Compact Access Privilege

Description

add_file

w

Permission to add a new file to a directory.

add_subdirectory

p

On a directory, permission to create a subdirectory.

append_data

p

Placeholder. Not currently implemented.

delete

d

Permission to delete a file.

delete_child

D

Permission to delete a file or a directory within a directory.

execute

x

Permission to execute a file or search the contents of a directory.

list_directory

r

Permission to list the contents of a directory.

read_acl

c

Permission to read the ACL (ls).

read_attributes

a

Permission to read the basic attributes (non-ACLs) of a file. Think
of basic attributes as the stat-level attributes. Allowing this access mask
bit means that the entity can execute ls(1) and stat(2).

read_data

r

Permission to read the contents of a file.

read_xattr

R

Permission to read the extended attributes of a file or to perform a
lookup in the file's extended attributes directory.

synchronize

s

Placeholder. Not currently implemented.

write_xattr

W

Permission to create extended attributes or write to the extended attributes
directory.

Granting this permission to a user means that the user can create an
extended attribute directory for a file. The attribute file's permissions
control the user's access to the attribute.

write_data

w

Permission to modify or replace the contents of a file.

write_attributes

A

Permission to change the time stamps associated with a file or directory
to an arbitrary value.

write_acl

C

Permission to write the ACL or to modify the ACL by using the chmod command.

write_owner

o

Permission to change the file's owner or group. Or, the ability to execute
the chown or chgrp command on the file.

Permission to take ownership of a file or permission to change the group
ownership of a file to a group of which the user is a member. If you want
to change the file or group ownership to an arbitrary user or group, then
the PRIV_FILE_CHOWN privilege is required.

ACL Inheritance

The purpose of using ACL inheritance is so that a newly created file
or directory can inherit the ACLs they are intended to inherit, but without
disregarding the existing permissions on the parent directory.

By default, ACLs are not propagated. If you set a non-trivial ACL on
a directory, it is not inherited by any subsequent directory. You must specify
the inheritance of an ACL on a file or directory.

The optional inheritance flags are described in the following table.

Table 8–3 ACL Inheritance Flags

Inheritance Flag

Compact Inheritance Flag

Description

file_inherit

f

Inherit the ACL from the parent directory but only applies to the directory's
files.

dir_inherit

d

Inherit the ACL from the parent directory but only applies to the directory's
subdirectories.

inherit_only

i

Inherit the ACL from the parent directory but applies only to newly
created files or subdirectories and not the directory itself. This flag requires
the file_inherit flag, the dir_inherit flag,
or both, to indicate what to inherit.

no_propagate

n

Only inherit the ACL from the parent directory to the first-level contents
of the directory, not the second-level or subsequent contents. This flag requires
the file_inherit flag, the dir_inherit flag,
or both, to indicate what to inherit.

-

N/A

No permission granted.

In addition, you can set a default ACL inheritance policy on a file
system that is more strict or less strict by using the aclinherit file
system property. For more information, see the next section.

ACL Properties

A ZFS file system has two properties related to ACLs.

aclinherit – This property determines
the behavior of ACL inheritance. Values include the following:

discard – For new objects, no ACL
entries are inherited when a file or directory is created. The ACL on the
new file or directory is equal to the permissions of the file or directory.

noallow – For new objects, only inheritable
ACL entries that have an access type of deny are inherited.

restricted – For new objects, the write_owner and write_acl permissions are removed
when an ACL entry is inherited.

passthrough – When the property value
is set to passthrough, files are created with permissions
determined by the inheritable ACEs. If no inheritable ACEs exist that affect
the permissions, then the permissions are set in accordance to the requested
permissions from the application.

passthrough-x – This property value
has the same semantics as passthrough, except that when passthrough-x is enabled, files are created with the execute (x) permission, but only if the execute permission is set in the
file creation mode and in an inheritable ACE that affects the mode.

The default value for the aclinherit property is restricted.

aclmode – This property modifies
ACL behavior when a file is initially created or whenever a file or directory's
permissions are modified by the chmod command. Values include
the following:

discard – All ACL entries are removed
except for the entries needed to define the mode of the file or directory.

groupmask – User or group ACL permissions
are reduced so that they are no greater than the group permissions, unless
it is a user entry that has the same UID as the owner of the file or directory.
Then, the ACL permissions are reduced so that they are no greater than the
owner permissions.

passthrough – During a chmod operation,
ACEs other than owner@, group@, or everyone@ are not modified in any way. ACEs with owner@, group@, or everyone@ are disabled to set the
file mode as requested by the chmod operation.

The default value for the aclmode property is groupmask.

Setting ACLs on ZFS Files

As implemented with ZFS, ACLs are composed of ACL entries. ZFS provides
a pure ACL model, where all files have an ACL. Typically,
the ACL is trivial in that it only represents the traditional
UNIX owner/group/other entries.

If you change the permissions of the file, a file's ACL is updated accordingly.
In addition, if you remove a non-trivial ACL that granted a user access to
a file or directory, that user could still have access to the file or directory
because of the file or directory's permission bits that grant access to a
group or to everyone. All access control decisions are governed by the permissions
represented in a file or directory's ACL.

The primary rules of ACL access on a ZFS file follow:

ZFS processes ACL entries in the order they are listed in
the ACL, from the top down.

Only ACL entries that have a “who” that matches
the requester of the access are processed.

After an allow permission has been granted,
it cannot be denied by a subsequent ACL deny entry in the
same ACL permission set.

The owner of a file is granted the write_acl permission
unconditionally, even if the permission is explicitly denied. Otherwise, any
permission left unspecified is denied.

In cases of deny permissions
or when an access permission for a file is missing, the privilege subsystem
determines what access request is granted for the owner of the file or for
superuser. This mechanism prevents owners of files from getting locked out
of their files and enables superuser to modify files for recovery purposes.

If you set a non-trivial ACL on a directory, the ACL is not automatically
inherited by the directory's children. If you set a non-trivial ACL and you
want it to be inherited by the directory's children, you have to use the ACL
inheritance flags. For more information, see Table 8–3 and Setting ACL Inheritance on ZFS Files in Verbose Format.

When you create a new file and depending on the umask value,
a default trivial ACL, similar to the following, is applied:

Note that each user category (owner@, group@, everyone@) has two ACL entries in this example. One entry is for deny permissions, and one entry is for allow permissions.

A description of this file ACL follows:

0:owner@

The owner is denied execute permission on the file (execute:deny).

1:owner@

The owner can read and modify the contents of the file (read_data/write_data/append_data). The owner can also modify the
file's attributes such as time stamps, extended attributes, and ACLs (write_xattr/write_attributes
/write_acl). In addition, the owner can modify the ownership of
the file (write_owner:allow).

2:group@

The group is denied modify and execute permissions on the
file (write_data/append_data/execute:deny).

3:group@

The group is granted read permissions to the file (read_data:allow).

4:everyone@

Everyone who is not the owner of the file or a member of the
owning group of the file is denied permission to execute or modify the contents
of the file and to modify any attributes of the file (write_data/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:deny).

5:everyone@

Everyone who is not the owner of the file or a member of the
owning group of the file is granted read permissions on the file and the file's
attributes (read_data/read_xattr/read_attributes/read_acl/synchronize:allow). The synchronize access permission is not currently
implemented.

When you create a new directory and depending on the umask value,
a default directory ACL, similar to the following is applied:

The owner can read and modify the directory contents (list_directory/read_data/add_file/write_data/add_subdirectory/append_data), search the contents (execute), and modify
the directory's attributes such as time stamps, extended attributes, and ACLs
(write_xattr/write_attributes/write_acl). In addition,
the owner can modify the ownership of the directory (write_owner:allow).

2:group@

The group cannot add to or modify the directory contents (add_file/write_data/add_subdirectory/append_data:deny).

3:group@

The group can list and read the directory contents. In addition,
the group has execute permission to search the directory contents (list_directory/read_data/execute:allow).

4:everyone@

Everyone who is not the owner of the file or a member of the
owning group of the file is denied permission to add to or modify the contents
of the directory (add_file/write_data/add_subdirectory/append_data).
In addition, the permission to modify any attributes of the directory is denied
(write_xattr/write_attributes/write_acl/write_owner:deny).

5:everyone@

Everyone who is not the owner of the file or a member of the
owning group of the file is granted read and execute permissions on the directory
contents and the directory's attributes (list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow). The synchronize access permission is not currently
implemented.

Setting and Displaying ACLs on ZFS Files in Verbose
Format

You can use the chmod command to modify ACLs on ZFS
files. The following chmod syntax for modifying ACLs uses acl-specification to identify the format of the ACL. For a description
of acl-specification, see Syntax Descriptions for Setting ACLs.

Adding ACL entries

Adding an ACL entry for a user

% chmod A+acl-specificationfilename

Adding an ACL entry by index-ID

% chmod Aindex-ID+acl-specificationfilename

This syntax inserts the new ACL entry at the specified index-ID location.

Replacing an ACL entry

% chmod A=acl-specificationfilename

% chmod Aindex-ID=acl-specificationfilename

Removing ACL entries

Removing an ACL entry by index-ID

% chmod Aindex-ID- filename

Removing an ACL entry by user

% chmod A-acl-specificationfilename

Removing all non-trivial ACEs from a file

% chmod A- filename

Verbose ACL information is displayed by using the ls-v command. For example:

In this output, the file's permissions are reset from 644 to 640. Read permissions for everyone@ are effectively
removed from the file's permissions when the ACL allow permissions
are removed for everyone@.

In the following example, the existing ACL is replaced with read_data/write_data permissions for everyone@:

In this output, the chmod syntax effectively replaces
the existing ACL with read_data/write_data:allow permissions
to read/write permissions for owner, group, and everyone@. In this model, everyone@ specifies access to
any user or group. Because no owner@ or group@ ACL
entry exists to override the permissions for owner and group, the permissions
are set to 666.

In the following example, the existing ACL is replaced with read permissions
for user gozer:

In this output, the file permissions are computed to be 000 because
no ACL entries exist for owner@, group@,
or everyone@, which represent the traditional permission
components of a file. The owner of the file can resolve this problem by resetting
the permissions (and the ACL) as follows:

Setting ACL Inheritance on ZFS Files in Verbose Format

You can specify whether and how ACLs are inherited on files and directories.
By default, ACLs are not propagated. If you set a non-trivial ACL on a directory,
the ACL is not inherited by any subsequent directory. You must specify the
inheritance of an ACL on a file or directory.

In addition, two ACL properties can be set globally on file systems: aclinherit and aclmode. By default, aclinherit is set to restricted and aclmode is
set to groupmask.

If a test.dir subdirectory is created, the ACE
for user gozer is not propagated. User gozer would
only have access to the subdirectory if the permissions on the subdirectory
granted him access as the file owner, group member, or everyone@.
For example:

In this example, user gozer's permissions are applied
on the newly created test2.dir/file.2 file. The ACL inheritance
granted, read_data:file_inherit:allow, means that user gozer can read the contents of any newly created file.

Because the aclmode property for this file is set
to the default value, groupmask, user gozer does
not have write_data permission on file.2 because
the file's group permission does not allow it.

When using the inherit_only permission, which is
applied when the file_inherit or dir_inherit flag
is set, is used to propagate the ACL through the directory structure. As such,
user gozer is only granted or denied permission from everyone@ permissions unless he is the file owner or a member of
the file's group owner. For example:

In these examples, because the permissions of the parent directory for group@ and everyone@ deny write and execute permissions,
user gozer is denied write and execute permissions. The
default aclinherit property is restricted,
which means that write_data and execute permissions
are not inherited.

In this example, user gozer is granted read, write,
and execute permissions that are inherited for newly created files. However,
they are not propagated to subsequent contents of the directory.

Example 8–7 ACL Inheritance With aclmode Property
Set to passthrough

As the following example shows, when the aclmode property
on the tank/cindys file system is set to passthrough, user gozer inherits the ACL applied on the test4.dir directory for the newly created file.4:

Example 8–9 ACL Inheritance With the aclinherit Property
Set to noallow

In the following example, two non-trivial ACLs with file inheritance
are set. One ACL allows read_data permission, and one ACL
denies read_data permission. This example also shows how
you can specify two ACEs in the same chmod command.

Setting and Displaying ACLs on ZFS Files in Compact
Format

You can set and display permissions on ZFS files in a compact format
that uses 14 unique letters to represent the permissions. The letters that
represent the compact permissions are listed in Table 8–2 and Table 8–3.

You can display compact ACL listings for files and directories by using
the ls-V command. For example:

The owner can read and modify the contents of the file (rw=read_data/write_data, p=append_data). The owner can also modify the file's attributes such
as time stamps, extended attributes, and ACLs (A=write_xattr, W=write_attributes, and C=write_acl). In addition, the owner can modify
the ownership of the file (o=write_owner).

group@

The group is denied modify and execute permissions on the
file (write_data, p=append_data,
and x=execute).

group@

The group is granted read permissions on the file (r=read_data).

everyone@

Everyone who is not the owner of the file or a member of the
owning group of the file is denied permission to execute or modify the contents
of the file, and to modify any attributes of the file (w=write_data, x=execute, p=append_data, A=write_xattr, W=write_attributes, C=write_acl, and o=write_owner).

everyone@

Everyone who is not the owner of the file or a member of the
owning group of the file on the file and the file's attributes (r=read_data, a=append_data, R=read_xattr, c=read_acl, and s=synchronize). The synchronize access permission is not currently implemented.

The compact ACL format provides the following advantages over the verbose
ACL format:

Permissions can be specified as positional arguments to the chmod command.

The hyphen (-) characters, which identify no permissions,
can be removed. Only the required letters need to be specified.

You can also cut and paste permissions and inheritance flags from the ls-V output into the compact chmod format.
For example, to duplicate the permissions and inheritance flags on the dir.2 directory for user gozer to user cindys on dir.2, copy and paste the permissions and
inheritance flags (rwx-----------:fd----:allow)
into your chmod command as follows:

Example 8–11 ACL Inheritance With the aclinherit Property
Set to passthrough

A file system that has the aclinherit property set
to passthrough inherits all inheritable ACL entries without
any modifications made to the ACL entries when they are inherited. When this
property is set to passthrough, files are created with
a permissions that are determined by the inheritable ACEs. If no inheritable
ACEs exist that affect the permissions, then the permissions are set in accordance
to the requested permissions from the application.

The following examples use compact ACL syntax to show how to inherit
permissions by setting the aclinherit property to passthrough.

In this example, an ACL is set on the test1.dir directory
to force inheritance. The syntax creates an owner@, group@, and everyone@ ACL entry for newly
created files. Newly created directories inherit an @owner, group@, and everyone@ ACL entry. Additionally,
directories inherit six other ACEs that propagate the ACEs to the newly created
directories and files.

The -di-- and f-i--- entries are
for propagating inheritance and are not considered during access control.
In this example, a file is created with a trivial ACL in another directory
where inherited ACEs are not present.

Example 8–12 ACL Inheritance With the aclinherit Property
Set to passthrough-x

When aclinherit property is set to passthrough-x, files are created with the execute (x) permission
for owner@, group@, or everyone@,
but only if execute permission is set in file creation mode and in an inheritable
ACE that affects the mode.

The following example shows how to inherit the execute permission by
setting the aclinherit property to passthrough-x.

# zfs set aclinherit=passthrough-x tank/cindys

The following ACL is set on /tank/cindys/test1.dir to
provide executable ACL inheritance for files for owner@, group@, and everyone@.